From: Adriaan de Jong Date: Thu, 23 Jun 2011 07:41:28 +0000 (+0200) Subject: Refactored maximum cipher and hmac length constants X-Git-Tag: v2.3-alpha1~175 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23ee3563de28820919fe83f8f5b7289dc4ed42ae;p=thirdparty%2Fopenvpn.git Refactored maximum cipher and hmac length constants Signed-off-by: Adriaan de Jong Acked-by: David Sommerseth Signed-off-by: David Sommerseth --- diff --git a/crypto.c b/crypto.c index 8af5b7ad5..a1986e096 100644 --- a/crypto.c +++ b/crypto.c @@ -33,18 +33,6 @@ #include "memdbg.h" -/* - * Check for key size creepage. - */ - -#if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH -#warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH -#endif - -#if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE -#warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH -#endif - /* * Encryption and Compression Routines. * diff --git a/crypto.h b/crypto.h index 5165d0f3e..2ddee5f15 100644 --- a/crypto.h +++ b/crypto.h @@ -172,29 +172,6 @@ cipher_ok (const char* name) #define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_type(e)) #endif -/* - * Max size in bytes of any cipher key that might conceivably be used. - * - * This value is checked at compile time in crypto.c to make sure - * it is always at least EVP_MAX_KEY_LENGTH. - * - * We define our own value, since this parameter - * is used to control the size of static key files. - * If the OpenSSL library increases EVP_MAX_KEY_LENGTH, - * we don't want our key files to be suddenly rendered - * unusable. - */ -#define MAX_CIPHER_KEY_LENGTH 64 - -/* - * Max size in bytes of any HMAC key that might conceivably be used. - * - * This value is checked at compile time in crypto.c to make sure - * it is always at least EVP_MAX_MD_SIZE. We define our own value - * for the same reason as above. - */ -#define MAX_HMAC_KEY_LENGTH 64 - /* * Defines a key type and key length for both cipher and HMAC. */ @@ -206,7 +183,6 @@ struct key_type const EVP_MD *digest; }; - /** * Container for unidirectional cipher and HMAC %key material. * @ingroup control_processor diff --git a/crypto_backend.h b/crypto_backend.h index 9f8eb047e..31935ed24 100644 --- a/crypto_backend.h +++ b/crypto_backend.h @@ -58,4 +58,38 @@ */ int rand_bytes (uint8_t *output, int len); +/* + * + * Generic cipher key type functions + * + */ +/* + * Max size in bytes of any cipher key that might conceivably be used. + * + * This value is checked at compile time in crypto.c to make sure + * it is always at least EVP_MAX_KEY_LENGTH. + * + * We define our own value, since this parameter + * is used to control the size of static key files. + * If the OpenSSL library increases EVP_MAX_KEY_LENGTH, + * we don't want our key files to be suddenly rendered + * unusable. + */ +#define MAX_CIPHER_KEY_LENGTH 64 + +/* + * + * Generic message digest information functions + * + */ + +/* + * Max size in bytes of any HMAC key that might conceivably be used. + * + * This value is checked at compile time in crypto.c to make sure + * it is always at least EVP_MAX_MD_SIZE. We define our own value + * for the same reason as above. + */ +#define MAX_HMAC_KEY_LENGTH 64 + #endif /* CRYPTO_BACKEND_H_ */ diff --git a/crypto_openssl.c b/crypto_openssl.c index cbe559afa..9e547b478 100644 --- a/crypto_openssl.c +++ b/crypto_openssl.c @@ -37,6 +37,18 @@ #include #include +/* + * Check for key size creepage. + */ + +#if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH +#warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH +#endif + +#if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE +#warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH +#endif + /* * * Random number functions, used in cases where we want